The Royal Society/British Academy Report on Data Management and Use: Governance in the 21st Century
Available here: https://royalsociety.org/topics-policy/projects/data-governance/
My response to the Royal Society/British Academy’s invitation to submit a provocation paper : “If you were Chair of a Stewardship Body, what would be your priorities, 1) short-term? 2) medium-term? 3) long-term?”
I write in response to your request for a provocation paper and attach below my views on the matter. My interest and experience in the personal data economy is on its economic impact, the design of the market and the alignment of incentives, as well as the engineering and design of personal data platforms, the data schema and structures. My experience has been to use technology, regulatory, market and civil society levers wherever they may be relevant to achieve the human flourishing objective as part of the mission of the HAT Community Foundation (https://hatcommunity.org). Of course, I am mindful that while choice and empowerment of the individual is key, it is for the individual to decide if he wants to flourish, instead of the decision taken for him by another entity, in the name of human flourishing. There is also consideration of the commons, and the necessary trade offs of commons v individual human flourishing.
As a foundational premise, I wish to acknowledge 2 separate types of personal data that require different approaches to stewardship
Corporation held personal data (CPD)
This is 99.9% of personal data held currently. The practices are diverse. Some corporations do not collect the data (e.g. Telco) while some not only collect it, but run advanced analytics on it. Some SMEs are in fear of going anywhere near personal data as they feel they can’t risk fallout. Many are shutting down login functionalities of websites. This potentially hands the market to businesses that operate outside the EU, through outsourcing contracts. On the other hand, other SMEs are hoovering up data to sell. The stewardship body could provide guidance and skills on data management and governance but also of innovation and opportunities.
Individually controlled personal data (IPD)
A fledgling group of private data accounts such as mydex, citizen.me, Digi.me, people.io, cozy.io, meeco.me as well as HAT (hubofallthings.com) private data accounts such as savy.io, nogginpod.me are bringing a wave of Individually controlled personal data. For example, Facebook data held by Facebook is CPD; the same Facebook data held by private data accounts are IPD. Individually controlled personal data are fully controlled by the individual; can generate new data through personal AI and are potentially a powerful force within the personal data economy. If data controller status is given to the individual (not all private data accounts are technologically or legally designed to do so), consultations with the ICO suggest that they may be also exempt from GDPR 2018.
Based on CPD and IPD, I would argue that personal data has ‘polarity’. This means that for the SAME data, where it sits, how and where it’s used, and by whom, will all have different value and different risks. There needs to be a recognition of that in data science and policy, which implies that approaches to data management and use is a combination of social science and science methodologies. The collaboration of Royal Society with the British Academy in conducting this review, a reflection of such awareness, is most commendable.
My thoughts on actions:
The Internet is thriving on the trade and exchange of personal data, legal or otherwise. Personal data fuels a €272 billion economy of ad and ad blockers, real and fake news, real and satirical media; In short, almost all activity online. Where there are illegal practices, the law can barely be enforced. An Internet service that finds it hard to comply with some practices can move itself to a different jurisdiction and still provide the same service. For a stewardship body to have real influence it needs to understand all the different levers to have a chance at being effective and it must also understand the limits of legislation and the potential moral hazard it creates for digital services. If compliance or stewardship guidance is costly both in terms of economic costs and goodwill from the market, digital services can find another jurisdiction, leaving only the organisations that comply to carry the cost of compliance while others will cream off revenues to a jurisdiction outside the boundaries of legislation. Not only will this reduce the competitiveness of national industries and organisations in the digital economy, the state will lose the ability to tax digital services. The recent cases of Amazon and Apple reinforce this.
For this reason, this provocation deals almost entirely with economic levers.
In the short term, it is important to consider treatment only of data that hold the highest risks, of which they are often also providing the greatest gains. In other words, it is not merely the content of the data that is risky e.g. personal data; but where they are held and how they are accessible. Highly personal data locked down without any access by the organisation outside of their own offices (i.e. not cloud enabled) would have lower risk than data that can be accessed. In other words, there is a need to address data that has high mobility – because mobility of data brings opportunities and risks. By self-selection, firms that allow their data to be most mobile would want to reap the greatest opportunities – they must be aware of the costs, and data governance must be aware of the economic levers for both risks and opportunities brought about by data that has high mobility.
The short-term priority is to engage, document and report the economic levers.
Engage with supply: Engage with tech and non-tech companies that hold personal data. Understand their costs, risks, and opportunities. Engage with IoT device makers and apps that are generating petabytes personal data, some anonymising and selling them to fund their activities. Others are expunging personal data to mitigate risks. Understand practices and motivations. Summarise the economic levers that would influence supply and potential interventions.
Engage with demand: Get a full understanding of what models are fuelling the 31 billion dollar Advertising tech market. Specifically, this market buys ‘signals’ which are transformed personal data that tells the marketer the person’s propensity to receive what kind of messages, content, ads etc. Transformation of data to signals is what fuels the personal data economy. Raw personal data is still valuable, but its proportion of real worth is likely to be the same worth of a lump of charcoal to the beautiful diamond sold in retail shops. The multiplier effect from the multiple transformation levels (whether within one organisation such as Google, or in the market such as other big data or analytics firms selling insights) cannot be underestimated. Google profits from personal data not because they trade it, but because they can convert data into signals. Hence USD31b advertising economy can generate create a company with a market capitalisation of USD600b. A good understanding of the monetisation, revenue streams, and intermediaries is needed – see how complex the landscape is. http://chiefmartec.com/2016/03/marketing-technology-landscape-supergraphic-2016/
Summarise the economic levers that would influence demand and consider potential interventions
Engage with use: Many consumers do not even know that the underlying fuel for their digital services is personal data. The old saying of uber having no cars, airbnb no property and Facebook having no content just means that these services that are able to coordinate and use personal data or information about user contexts as an asset class of its own. An understanding of what personal data fuels what kind of use would be needed. Understanding the many perceptual and actual challenges around trust, identity, privacy, security, vulnerability, control is key. Summarise behavioral challenges and levers such as scripting, nudges and other design levers that can provide assurances, alleviate perceived risk but on the other hand, could also heighten fear, create concerns and stop usage. Summarise potential interventions.
Engage with management practices, processes and policies: Consolidate some of the useful frameworks that have been developed by consultants and organisations and create a set of best practices.
Engage with tech giants on how they have been governing personal data to document practices.
Summarise best practices and management levers that impacts of supply, demand and use.
Short term, there need to be an empirical understanding of the personal data economy (PDE) and the personal data asset class. As your report has indicated, governance and management cannot be separated. I would argue that with the intense connectivity of both online and offline human personas, all personal data flows are not separable. The key to the stewardship body having any relevance or success is to have a systemic view, with systemic methodologies and to understand the levers for interventions that can assist to achieve the objectives.
Medium to Long term
For the personal data economy model, the medium term is a richer and more robust model with data, able to provide better guidance, stewardship of personal data supply, demand, use and management for governments, policy makers, businesses, citizens.
It would be wise to begin empirical economic cost-benefit modelling (and other modelling initiatives) to stratify personal data to provide useful guidance on what personal data, sat in what environment, would be risky in what context, and with systemic model assumptions. The parameters are known, even in the IoT space. Build scenario models – specifically societal impact, GDP impact
Support the proliferation of Individually controlled Personal Data accounts – they provide genuine alternatives to the current Internet model of Corporate controlled Personal Data.
Work with consumer advocacy groups such as Which! (Who are starting to develop policies in the personal data area) and the ICO on ways to create a more transparent environment of data usage so that enforcement of wrong doing can be possible – both through market mechanisms such as consumer class actions, as well through penalties.
The HAT Foundation Group has provided guidance globally on data governance, in particular the economic models of personal data. It is independent and members owned, but also have oversight and guardianship over an open sourced technology platform for personal data exchange adopted and operated by several providers globally. For almost 6 years, we have been working on the personal data economy, and some of our briefing reports can be downloaded here https://hatresearch.org/hatoutputs/hat-briefing-papers/.
The foundation’s agenda is fully aligned with human flourishing agenda of the report. Indeed, the empowerment of individuals is central to the foundation’s mission. With a full innovation programme of startups building on private data accounts, and a host of partners globally, we stand ready to contribute to the stewardship body.
Professor Irene C L Ng
Chairman, HAT Foundation Group
Operationalising IoT for reverse supply: the development of use-visibility measures http://www.emeraldinsight.com/doi/full/10.1108/SCM-10-2015-0386